Index: crypto/heimdal/kadmin/version4.c diff -c crypto/heimdal/kadmin/version4.c:1.1.1.1.2.3 crypto/heimdal/kadmin/version4.c:1.1.1.1.2.4 *** crypto/heimdal/kadmin/version4.c:1.1.1.1.2.3 Fri Sep 20 05:50:21 2002 --- crypto/heimdal/kadmin/version4.c Mon Oct 21 22:51:10 2002 *************** *** 822,827 **** --- 822,834 ---- off += _krb5_get_int(msg + off, &rlen, 4); memset(&authent, 0, sizeof(authent)); authent.length = message.length - rlen - KADM_VERSIZE - 4; + + if(authent.length >= MAX_KTXT_LEN) { + krb5_warnx(context, "received bad rlen (%lu)", (unsigned long)rlen); + make_you_loose_packet (KADM_LENGTH_ERROR, reply); + return; + } + memcpy(authent.dat, (char*)msg + off, authent.length); off += authent.length; Index: crypto/kerberosIV/kadmin/kadm_ser_wrap.c diff -c crypto/kerberosIV/kadmin/kadm_ser_wrap.c:1.1.1.3 crypto/kerberosIV/kadmin/kadm_ser_wrap.c:1.1.1.3.12.1 *** crypto/kerberosIV/kadmin/kadm_ser_wrap.c:1.1.1.3 Sun Jan 9 02:27:52 2000 --- crypto/kerberosIV/kadmin/kadm_ser_wrap.c Wed Oct 23 08:21:32 2002 *************** *** 117,132 **** u_char *retdat, *tmpdat; int retval, retlen; ! if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) { errpkt(errdat, dat, dat_len, KADM_BAD_VER); return KADM_BAD_VER; } in_len = KADM_VERSIZE; /* get the length */ ! if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0) return KADM_LENGTH_ERROR; in_len += retc; authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(u_int32_t); memcpy(authent.dat, (char *)(*dat) + in_len, authent.length); authent.mbz = 0; /* service key should be set before here */ --- 117,141 ---- u_char *retdat, *tmpdat; int retval, retlen; ! if (*dat_len < (KADM_VERSIZE + sizeof(u_int32_t)) ! || strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE) != 0) { errpkt(errdat, dat, dat_len, KADM_BAD_VER); return KADM_BAD_VER; } in_len = KADM_VERSIZE; /* get the length */ ! if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0 || ! (r_len > *dat_len - KADM_VERSIZE - sizeof(u_int32_t))) { ! errpkt(errdat, dat, dat_len, KADM_LENGTH_ERROR); return KADM_LENGTH_ERROR; + } + in_len += retc; authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(u_int32_t); + if (authent.length > MAX_KTXT_LEN) { + errpkt(errdat, dat, dat_len, KADM_LENGTH_ERROR); + return KADM_LENGTH_ERROR; + } memcpy(authent.dat, (char *)(*dat) + in_len, authent.length); authent.mbz = 0; /* service key should be set before here */